Issues with Existing Cryptographic Protection Methods for Routing Protocols
draft-ietf-opsec-routing-protocols-crypto-issues-07
Yes
(Dan Romascanu)
(Ron Bonica)
No Objection
(Gonzalo Camarillo)
(Lars Eggert)
(Peter Saint-Andre)
(Ralph Droms)
(Robert Sparks)
(Tim Polk)
Note: This ballot was opened for revision 07 and is now closed.
Adrian Farrel Former IESG member
Yes
Yes
(2010-06-01)
Unknown
Please capture the changes agreed with Young Lee as the result of his Routing Area Directorate review. --- Nit Abstract bullet 2 Begin with "it" Fix trailing spaces --- Nit Section 1 bullet 1 The implicit trust of routing protocol exchange protected by a shared secret is intended to protect against the injection of falsely generated routing data being injected into the routing system by unauthorized systems. A bit garbled. Too much injection!
Dan Romascanu Former IESG member
Yes
Yes
()
Unknown
Jari Arkko Former IESG member
(was Discuss)
Yes
Yes
(2010-06-03)
Unknown
The document says: [RFC4552] mandates the use of ESP with null encryption for authentication and also does encourage the use of confidentiality to protect the privacy of the routing information transmitted, using ESP encryption. Authentication/Confidentiality for OSPFv3 [RFC4552] mandates the use of ESP with null encryption for authentication and also does encourage the use of confidentiality to protect the privacy of the routing information transmitted, using ESP encryption. In both cases I struggled with the first part of sentence seemingly claiming that null encryption is mandatory, and then saying non-null encryption is encouraged. I think you meant to say "The use of authentication via ESP with null encryption is required and that additionally, ESP encryption is encouraged to protect the privacy of the transmitted routing information." Or something along those lines... The document says: With the proliferation of available hash algorithms, as well as the need to upgrade the algorithms, manually configuration requires coordination among intermediate systems which can become tedious. I guess this should be ... manual configuration requires ... The document says: Any security issues in the echo mode or packets will directly effect the BFD protocol and session states and hence the network stability. This should be ... affect ... The document says: Echo packets are not defined in the BFD specification, though they can keep the BFD session UP. No need for upper case UP. This should be "... session up", or "... in the UP state" (if BFD has such a state). I would like to voice my support for the change suggested in Lars Eggert's Discuss.
Ron Bonica Former IESG member
Yes
Yes
()
Unknown
Gonzalo Camarillo Former IESG member
No Objection
No Objection
()
Unknown
Lars Eggert Former IESG member
(was Discuss)
No Objection
No Objection
()
Unknown
Peter Saint-Andre Former IESG member
No Objection
No Objection
()
Unknown
Ralph Droms Former IESG member
No Objection
No Objection
()
Unknown
Robert Sparks Former IESG member
No Objection
No Objection
()
Unknown
Russ Housley Former IESG member
No Objection
No Objection
(2010-05-31)
Unknown
Please consider the comments in the Gen-ART Review from Enrico Marocco on 10-May-2010. The review can be found at: http://www.softarmor.com/rai/temp-gen-art/ draft-ietf-opsec-routing-protocols-crypto-issues-04-marocco.txt
Sean Turner Former IESG member
No Objection
No Objection
(2010-06-03)
Unknown
I support Tim's DISCUSSes.
Stewart Bryant Former IESG member
No Objection
No Objection
(2010-06-02)
Unknown
Scenario 1: R1 sends an authenticated RIP message to R2 with a cryptographic sequence num X. The attacker then needs a higher sequence number packet from the LAN. It could also be a packet originated by R2 either from this session, or from some earlier session. Where did the LAN come from? ======== Scenario 2: R1 announces a route with cost C1 to R2. This packet can be captured by an attacker. Later, if this cost changes and R1 announces this with a different cost C2, the attacker can replay the captured packet, modifying the source IP to a new arbitrary IP address thereby masquerading as a different router. R2 will accept this route and the router as a new gateway, and R2 would then use the non existent router as a next hop for that network. This would only be effective if the cost C1 is less than C2. There is surely a simpler attack. Attacker replaces R1 with bogus router foo in the original C1 packet, thereby creating an ECMP and causing a black hole for some fraction of the traffic. ========= o BFD allows a mode called the echo mode. Echo packets are not defined in the BFD specification, though they can keep the BFD session UP. There are no guidelines on the properties of the echo packets. Any security issues in the echo mode or packets will directly effect the BFD protocol and session states and hence the network stability. Having spoken to the BFD authors, I find that technically the echo packet can contain anything or nothing. Given the contents aren't evaluated by any device I'm not certain I understand the threat. The guideline is to use the general format but it isn't strict. The text should be updated to reflect this.
Tim Polk Former IESG member
(was Discuss)
No Objection
No Objection
(2010-06-03)
Unknown
(a) On discuss issue #1, here are some papers that could be referenced regarding concerns with SHA-1 and SHA-2: Wang, X., et alia, "Finding Collisions in the Full SHA- 1" Proceedings of Crypto 2005, Lecture Notes in Computer Science, Volume 3621, pp. 17-36, Springer-Verlag, Berlin, August 31, 2005. Praveen Gauravaram, Adrian McCullagh and Ed Dawson, "Collision Attacks on MD5 and SHA-1: Is this the 'Sword of Damocles' for Electronic Commerce?", Information Security Institute (ISI), Queensland University of Technology (QUT) 2 George Street, GPO Box 2434, Brisbane, Queensland 4001, Australia. Philip Hawkes1, Michael Paddon1, and Gregory G. Rose, "On Corrective Patterns for the SHA-2 Family", Qualcomm Australia, Level 3, 230 Victoria Rd, Gladesville, NSW 2111, Australia Arjen K. Lenstra, "Further progress in hashing cryptanalysis", Lucent Bell Laboratories, February 26, 2005 Praveen Gauravaram, William Millan and Juanma Gonzalez Neito, "Some thoughts on Collision Attacks in the Hash Functions MD5, SHA-0 and SHA-1", Information Security Institute (ISI), QUT, Australia. The references in RFC 5709 have a few more... (b) Some of the issues with manual keying are inherently limitations in the protocols while others are really deployment issues. Introduction of key IDs such as in TCP-AO enables out-of-band automated keying as described in draft-housley-saag-crypto-key-table-02 and draft-polk-saag-rtg-auth-keytable-02 It might be usueful to review the discussion of manual keying to ensure that thesdifferent cases are clearly differentiated. (c) The document uses "digest" and "signature" interchangably, but actually, those terms are well-defined in cryptography and have different meanings (and provide different properties). Only RFC-2154 provides signatures. All the other mechanisms (e.g. TCP-Auth for BGP, OSPF, RIP, ISIS) simply provide cryptographic digests for message origin authentication.